Disable ssh-agent from gnome-keyring on Gnome

I run the gnome desktop environment, so gnome-keyring is enabled by default. I do not want gnome-keyring to remember the passwords to my ssh-keys. Or at least I do not want it to remember the passwords forever, maybe set a timeout for 5 minutes or something. I searched through the NixOS options, but did not see anything obvious to accomplish this. The only thing I found was enable option, but when I disabled this it conflicts with enabling the gnome desktop environment. I also looked through the home-manager option, where I removed ssh from the following option, but this does not seem to have changed the behavior.

  services.gnome-keyring.components =["pkcs11" "secrets"]; 

Maybe it’s due to gnome desktop environment starting systemd system level unit, whereas home-manager start systemd user level unit?

The home-manager module creates a new systemd user service that starts the requested components but you need to enable it with services.gnome-keyring.enable = true in your home-manager configuration.

But since the GNOME NixOS module enables the gnome-keyring module by default, it will still start the ssh component. And because gnome-keyring currently uses XDG autostart files instead of systemd services, it is not possible to nicely disable it.

You could try force-disabling the NixOS module using services.gnome.gnome-keyring.enable = lib.mkForce false; in NixOS configuration but that will likely break something – many GNOME apps expect GNOME Keyring services to be available and the module does some things not done by home-manager. So you should probably leave the home-manager option alone, it is mainly meant for non-GNOME desktop environments.

If the recommendation on the Arch wiki is correct, you should be able to mask the autostart file, and change SSH_AUTH_SOCK environment variable, though.

Relevant issue: Allow setting `gnome-keyring` components · Issue #166887 · NixOS/nixpkgs · GitHub

If you’re able to set SSH_AUTH_SOCK, it will always override the GKR agent. Clients use that env variable to find the agent.

You can disable the ssh component of the GnomeKeyring by adding an overlay for gnome.gnome-keyring that sets the configure option --disable-ssh-agent as described in [Disabling SSH agent support in GNOME Keyring] and [Overriding a package inside a scope].

final: prev: {
  gnome = prev.gnome.overrideScope' (gfinal: gprev: {
    gnome-keyring = gprev.gnome-keyring.overrideAttrs (oldAttrs: {
      configureFlags = oldAttrs.configureFlags or [ ] ++ [
1 Like